Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


t0ny

306 posts

Ultimate Geek

Lifetime subscriber

#236053 15-May-2018 19:57
Send private message

Hi, i have been stuffing around with my working network to make administration a bit easier. How i would like it to work is have my ER Lite setup so it becomes the DHCP for all my vlans and then have the cambium access points centrally managed via the cloud admin tool. My problem at the moment is that everything on VLAN 1 is working fine but a seperate VLAN (30) does not appear to work as expected. The wifi client just gets stuck on trying to retrieve IP .

 

The E600 is set up as follows:

 

ACL:

 

 

Trunk:

 

 

VLAN:

 

 

 

 

On my DLINK switch:

 

 

And finally, on the erlite:

 

firewall {
all-ping enable
broadcast-ping disable
group {
network-group IOT_VLAN_BLOCK_NETS {
description "Drop IoT traffic to other VLANs"
network 192.168.1.0/24
network 192.168.20.0/24
}
network-group LAN_NETWORKS {
description "RFC1918 LAN Networks"
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
network-group VIDEO_VLAN_BLOCK_NETS {
description "Drop Video Camera traffic to other VLANs"
network 192.168.20.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable

name IOT_WIFI_PROTECT_IN {
default-action accept
rule 10 {
action accept
description "Accept IoT WiFi Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop IOT_VLAN_BLOCK_NETS"
destination {
group {
network-group IOT_VLAN_BLOCK_NETS
}
}
protocol all
}
}
name IOT_WIFI_PROTECT_LOCAL {
default-action drop
rule 10 {
action accept
description "Accept DNS"
destination {
port 53
}
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}

rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto

}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
vif 30 {
address 192.168.30.1/24
description IoT
firewall {
in {
name IOT_WIFI_PROTECT_IN
}
local {
name IOT_WIFI_PROTECT_LOCAL
}
}
mtu 1500
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
disable
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
domain-name xxxxxl
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
shared-network-name VLAN30_IOT {
authoritative disable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
lease 86400
start 192.168.30.50 {
stop 192.168.30.100
}
}
}
static-arp disable
use-dnsmasq enable
}
dns {
forwarding {
cache-size 400
listen-on eth1
listen-on eth1.30
name-server 192.168.1.1
name-server 1.1.1.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description "DNS Redirection"
destination {
port 53
}
inbound-interface eth1
inside-address {
address 192.168.1.1
port 53
}
log disable
protocol tcp_udp
source {
address 192.168.1.2-192.168.1.254
}
type destination
}
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}

 

 

 

 

Please advise.

 

Image already added

 

 

 

 

 

 

 

Create new topic
freakngeek
348 posts

Ultimate Geek


  #2016538 15-May-2018 21:41
Send private message

I see above you are trying to force DNS to the router ?
I do it this way:

nat {
rule 4000 {
description "Policy DNAT: Force LAN DNS Requests to Router"
destination {
address !192.168.0.1
port 53
}
inbound-interface eth1
inside-address {
address 192.168.0.1
}
log disable
protocol tcp_udp
type destination
}

And you can set an IP to ignore that rule with this:
rule 4010 {
description "OpenDNS for 192.168.0.6"
destination {
address !192.168.0.6
port 53
}
inbound-interface eth1
inside-address {
address 208.67.222.222
}
log disable
protocol tcp_udp
type destination
}

Eth0 = WAN, Eht1 = LAN
IP 192.168.0.6 uses OpenDNS DNS server every body else is forced to use System DNS servers

Probably won't help your issue above

 

I'm thinking VLAN issue somewhere along the line as Firewall looks correct


cyril7
7752 posts

Uber Geek

Trusted
Subscriber

  #2016597 16-May-2018 06:45
Send private message

Hi, without looking through all of that config, why has vlan30 on the ER not being assigned an IP address, I doubt it will pick it up from its own DHCP server, as it is, it will not route.

 

So assign it as static (192.168.30.1) and then set the DHCP server pool to give that IP as the vlan30 gateway and adjust the pool to .10 - .250 or something like that.

 

Having never used an ER I am not sure what the config options are, but as it currently is there is no gateway for the vlan so the DHCP server on that network will not work properly.

 

Edit: also on the Dlink, is there a trunk port to connect to Eth1 of the ER, the config as shown does not show that. And, the WAP I assume this is on port2 of the switch, so whats the mgmt vlan of the WAP, it is common (but not always) that vlan1(untagged) is your mgmt vlan and user traffic is tagged, in your case 30.

 

Cyril

 

 


 
 
 
 


freakngeek
348 posts

Ultimate Geek


  #2016601 16-May-2018 07:08
Send private message

cyril7:

 

Hi, without looking through all of that config, why has vlan30 on the ER not being assigned an IP address, I doubt it will pick it up from its own DHCP server, as it is, it will not route.

 

So assign it as static (192.168.30.1) and then set the DHCP server pool to give that IP as the vlan30 gateway and adjust the pool to .10 - .250 or something like that.

 

Having never used an ER I am not sure what the config options are, but as it currently is there is no gateway for the vlan so the DHCP server on that network will not work properly.

 

Cyril

 

I think:

default-router 192.168.30.1

Takes care of that

 

My thoughts are some where the VLAN is not right, either on AP or Switch as ERL3 looks right


cyril7
7752 posts

Uber Geek

Trusted
Subscriber

  #2016623 16-May-2018 08:15
Send private message

Doh, missed that, there are mulitple stanza's that could probably be better in one that distributed across multiple entries, so makes it a bit cumbersome to read.

 

Cyril


cyril7
7752 posts

Uber Geek

Trusted
Subscriber

  #2016624 16-May-2018 08:15
Send private message

Doh, missed that, there are mulitple stanza's that could probably be better in one that distributed across multiple entries, so makes it a bit cumbersome to read.

 

Cyril


t0ny

306 posts

Ultimate Geek

Lifetime subscriber

  #2016640 16-May-2018 08:46
Send private message

Thanks everyone, iam starting to lean towards a switch issue. The dlink appears to lock up if i attempt to use 802.1Q and a hard reset is the only thing that gets it working again. Will pick up a unifi switch this afternoon and give it another go.

 

Image already added

 

 

 

 

 

 

 

t0ny

306 posts

Ultimate Geek

Lifetime subscriber

  #2017221 16-May-2018 21:30
Send private message

Quick update..set up vlan trunking on my new unifi switch and it worked as expected. Is there a way to configure the unifi so only the cambium is allowed to patch into that port? Want to stop ppl from just pluggin in their laptop :)

 

Image already added

 

 

 

 

 

 

 

 
 
 
 


cyril7
7752 posts

Uber Geek

Trusted
Subscriber

  #2017277 17-May-2018 06:24
Send private message

Hi, you could use mac-filtering, alternatively most of us lock the cabinets.

 

Cyril


Create new topic




News »

HP unveils new innovations for businesses adapting to rapidly evolving workstyles and workforces
Posted 17-Sep-2020 15:36


GoPro launches new HERO9 Black camera
Posted 17-Sep-2020 09:45


Telecommunications industry launches new 5G Facts website
Posted 17-Sep-2020 07:56


New Zealand ranks 3rd in world in GSMA index
Posted 15-Sep-2020 10:13


Trend Micro Security Suite adds web monitoring to prevent identity theft
Posted 14-Sep-2020 15:37


NVIDIA to acquire Arm for US$ 40 billion
Posted 14-Sep-2020 12:27


Epson launches its next gen A3+ colour EcoTank multi-function printer
Posted 10-Sep-2020 16:08


Sony launches three new native 4K SXRD home cinema projectors
Posted 9-Sep-2020 18:00


Catalyst Cloud brings Kubernetes-based open-source web hosting solution to market
Posted 9-Sep-2020 17:54


Verizon Connect eyes further growth in New Zealand
Posted 8-Sep-2020 09:26


PNY launches XLR8 gaming NVIDIA GeForce RTX 30 series powered by the all-new NVIDIA Ampere architecture
Posted 3-Sep-2020 16:39


NVIDIA delivers greatest-ever generational leap with GeForce RTX 30 Series GPUs
Posted 3-Sep-2020 16:17


Weta Digital advances visual effects and animation in the cloud with AWS
Posted 2-Sep-2020 17:09


Kiwrious lab-in-the-pocket kit designed for schoolchildren
Posted 28-Aug-2020 09:03


Fitbit introduces Sense, its most advanced health smartwatch
Posted 26-Aug-2020 10:14



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.